Share
WordPress, the go to choice for blogging software, has issued a new release that they are classifying as a security hardening update. All WordPress users are strongly encouraged to update their blogs to the latest version.
WordPress hardens security with version 2.8.5 - please do us all a favor and patch now.
There are some interesting things about the security fix. The first thing is that it corrects the flaw that led to a Worm attacking outdated WordPress installations. However, the down side is that users will actually need to apply the update before this will even matter.
The Worm is an automated attack that hunts down outdated WordPress installations and targets various aspects of the software. For the RSS side of the installation, the attacker will hit WordPress’ XMLRPC script, the Permalink and trackback functions, and other items.
If the attack is successful, then you can expect to see a newly created admin user account that is hidden, as well as a slew of Spam on older posts. This new admin account and Spam are just the start, as the Worm will also use your older posts to serve Malware to anyone who visits your site. We covered it not too long ago here.
The other interesting aspect to the security update is that the WordPress development team back-ported all the security updates for version 2.9 of WordPress to the 2.8 branch. So think of it as an early security present. All of the new security features, a whole version early.
“As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch,” wrote Peter Westwood on the development blog.
The back-ported security features include the removal of areas in the core WordPress code where PHP in variables was evaluated. They switched the file upload functionality, to be whitelisted for all users including administrators, and retired two of the importers of Tag data from old plugins.
In addition to the security update, the blog post pointed to a security plugin called WordPress Exploit Scanner. It searches the files on your website, and the posts and comments tables of your database for anything that looks suspicious. According to the description, it will also examine your list of active plugins for unusual filenames. What it will not do is remove things. That would be up to the site administrator.
More information on the WordPress Exploit Scanner is here. You can get the update by checking the administration panel in your existing installation for the one click update, if it is available to your version. If not, it is available now from http://wordpress.org/.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story